jinkysab avatar image
jinkysab asked

Client Credential Flow - no need to renew refresh token?

In my React app I just want to make simple GET requests to the Browse API to show to users on my site. For the Oauth authorisation I am following the Client Credentials flow

For testing purposes I am using cURL and I'm not seeing any mention of a refresh token in the response. Is that because the refresh token doesn't expire applications, and you only need to get a new refresh token (after 18 months) for authorisation code grant flow

If I'm mistaken, please let me know!

oauth2refresh token rest api
· 7
10 |600

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

michab2003 avatar image michab2003 commented ·

maybe you created a "Application Access Token", here you don´t get a refresh token. the refresh-token will be returned only if you create a "User Access Token", both a different flows.

Application Access Token: grant_type = client_credentials

User Access Token: grant_type = authorization_code

1 Like 1 ·
jinkysab avatar image jinkysab michab2003 commented ·
Awesome yes. I hadn't realised that application access token / client credentials route would not need to handle refresh tokens. That makes things much simpler :)
0 Likes 0 ·
thecarcomparison avatar image thecarcomparison jinkysab commented ·
Are you storing your access token or getting a new one on every get request? Reason I ask is because I’ve seen there’s a rate limit so wondered if people tend to store client tokens
0 Likes 0 ·
Show more comments
jinkysab avatar image jinkysab commented ·

Hmm OK, I'm getting a CORS error when making the request to The preflight check returns saying

  • Referrer Policy: strict-origin-when-cross-origin
(I'm in latest Chrome).

Is there any way around this to make the HTTP request?

0 Likes 0 ·
michab2003 avatar image michab2003 jinkysab commented ·

i only work in the backend, but when you search at google with "ebay oauth cors" you will find this: and in that project its said: "Because of the eBay CORS problems a Proxy server is required to use the API in the Browser. "

1 Like 1 ·

0 Answers


Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.